net-mgmt/nagios/files/patch-CVE-2012-6096


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

--- cgi/getcgi.c.orig	2011-08-17 17:06:27.000000000 +0930
+++ cgi/getcgi.c	2013-01-11 17:02:53.000000000 +1030
@@ -137,14 +137,15 @@
 		/* check for NULL query string environment variable - 04/28/00 (Ludo Bosmans) */
 		if(getenv("QUERY_STRING") == NULL) {
 			cgiinput = (char *)malloc(1);
-			if(cgiinput == NULL) {
-				printf("getcgivars(): Could not allocate memory for CGI input.\n");
-				exit(1);
-				}
-			cgiinput[0] = '\x0';
+			if(cgiinput != NULL) 
+				cgiinput[0] = '\x0';
 			}
 		else
 			cgiinput = strdup(getenv("QUERY_STRING"));
+		if(cgiinput == NULL) {
+			printf("getcgivars(): Could not allocate memory for CGI input.\n");
+			exit(1);
+			}
 		}
 
 	else if(!strcmp(request_method, "POST") || !strcmp(request_method, "PUT")) {
@@ -220,7 +221,12 @@
 	paircount = 0;
 	nvpair = strtok(cgiinput, "&");
 	while(nvpair) {
-		pairlist[paircount++] = strdup(nvpair);
+		pairlist[paircount] = strdup(nvpair);
+		if( NULL == pairlist[paircount]) {
+			printf("getcgivars(): Could not allocate memory for name-value pair #%d.\n", paircount);
+			exit(1);
+			}
+		paircount++;
 		if(!(paircount % 256)) {
 			pairlist = (char **)realloc(pairlist, (paircount + 256) * sizeof(char **));
 			if(pairlist == NULL) {
@@ -245,13 +251,29 @@
 		/* get the variable name preceding the equal (=) sign */
 		if((eqpos = strchr(pairlist[i], '=')) != NULL) {
 			*eqpos = '\0';
-			unescape_cgi_input(cgivars[i * 2 + 1] = strdup(eqpos + 1));
+			cgivars[i * 2 + 1] = strdup(eqpos + 1);
+			if( NULL == cgivars[ i * 2 + 1]) {
+				printf("getcgivars(): Could not allocate memory for cgi value #%d.\n", i);
+				exit(1);
+				}
+			unescape_cgi_input(cgivars[i * 2 + 1]);
+			}
+		else {
+			cgivars[i * 2 + 1] = strdup("");
+			if( NULL == cgivars[ i * 2 + 1]) {
+				printf("getcgivars(): Could not allocate memory for empty stringfor variable value #%d.\n", i);
+				exit(1);
+				}
+			unescape_cgi_input(cgivars[i * 2 + 1]);
 			}
-		else
-			unescape_cgi_input(cgivars[i * 2 + 1] = strdup(""));
 
 		/* get the variable value (or name/value of there was no real "pair" in the first place) */
-		unescape_cgi_input(cgivars[i * 2] = strdup(pairlist[i]));
+		cgivars[i * 2] = strdup(pairlist[i]);
+		if( NULL == cgivars[ i * 2]) {
+			printf("getcgivars(): Could not allocate memory for cgi name #%d.\n", i);
+			exit(1);
+			}
+		unescape_cgi_input(cgivars[i * 2]);
 		}
 
 	/* terminate the name-value list */
--- cgi/history.c.orig	2011-08-17 17:06:27.000000000 +0930
+++ cgi/history.c	2013-01-11 17:03:18.000000000 +1030
@@ -805,16 +805,22 @@
 			else if(display_type == DISPLAY_HOSTS) {
 
 				if(history_type == HOST_HISTORY || history_type == SERVICE_HISTORY) {
-					sprintf(match1, " HOST ALERT: %s;", host_name);
-					sprintf(match2, " SERVICE ALERT: %s;", host_name);
+					snprintf(match1, sizeof( match1), 
+							" HOST ALERT: %s;", host_name);
+					snprintf(match2, sizeof( match2), 
+							" SERVICE ALERT: %s;", host_name);
 					}
 				else if(history_type == HOST_FLAPPING_HISTORY || history_type == SERVICE_FLAPPING_HISTORY) {
-					sprintf(match1, " HOST FLAPPING ALERT: %s;", host_name);
-					sprintf(match2, " SERVICE FLAPPING ALERT: %s;", host_name);
+					snprintf(match1, sizeof( match1), 
+							" HOST FLAPPING ALERT: %s;", host_name);
+					snprintf(match2, sizeof( match2), 
+							" SERVICE FLAPPING ALERT: %s;", host_name);
 					}
 				else if(history_type == HOST_DOWNTIME_HISTORY || history_type == SERVICE_DOWNTIME_HISTORY) {
-					sprintf(match1, " HOST DOWNTIME ALERT: %s;", host_name);
-					sprintf(match2, " SERVICE DOWNTIME ALERT: %s;", host_name);
+					snprintf(match1, sizeof( match1), 
+							" HOST DOWNTIME ALERT: %s;", host_name);
+					snprintf(match2, sizeof( match2), 
+							" SERVICE DOWNTIME ALERT: %s;", host_name);
 					}
 
 				if(show_all_hosts == TRUE)
@@ -853,11 +859,11 @@
 			else if(display_type == DISPLAY_SERVICES) {
 
 				if(history_type == SERVICE_HISTORY)
-					sprintf(match1, " SERVICE ALERT: %s;%s;", host_name, svc_description);
+					snprintf(match1, sizeof( match1), " SERVICE ALERT: %s;%s;", host_name, svc_description);
 				else if(history_type == SERVICE_FLAPPING_HISTORY)
-					sprintf(match1, " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description);
+					snprintf(match1, sizeof( match1), " SERVICE FLAPPING ALERT: %s;%s;", host_name, svc_description);
 				else if(history_type == SERVICE_DOWNTIME_HISTORY)
-					sprintf(match1, " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description);
+					snprintf(match1, sizeof( match1), " SERVICE DOWNTIME ALERT: %s;%s;", host_name, svc_description);
 
 				if(strstr(temp_buffer, match1) && (history_type == SERVICE_HISTORY || history_type == SERVICE_FLAPPING_HISTORY || history_type == SERVICE_DOWNTIME_HISTORY))
 					display_line = TRUE;